When you use Google Analytics, you process personal data of your website visitors with analytical cookies. Do you ask permission to place these analytical cookies on your visitors’ computers? If not, you can go through the 6 steps in this manual to set up Google Analytics to preserve privacy of your visitors. This is necessary to comply with the General Data Protection Regulation and e-Privacy Directive.

  1. Enter into a data processing agreement with Google

Pursuant to the Article 28 of the GDPR, you must conclude a processing agreement as the data controller with Google, since they are the data processor for the purposes determined by you. You can enter into this agreement through the settings menu from Google Analytics.

Do you already have a data processing agreement with Google since before December 2016? If yes, you will now see a request for accepting the amended agreement. This agreement contains a paragraph about the newly added possibilities for Analytics on a paid ‘Analytics 360’ service.

To accept the amended agreement, do the following:

  • Log in with your webmaster account
  • Choose ‘Admin’ section of the page
  • Select ‘Account Settings’
  • Scroll to the bottom of the page to the heading ‘Data Processing amendment’

  • Click on ‘Review Amendment’. You will now see a pop-up screen with the text of the data processing agreement.

  • After you review it, click on ‘Done’

  • Click on ‘Save’ to actually enter into the agreement. You now have a data processing agreement with Google.
  1. Don’t let Google process the full IP address (Anonymize IP)

IP4 IP addresses consist of 4 so-called 3-digit octets. Google offers the option to remove the last octet from the IP address of your website visitors. This is done in temporary memory, before the IP address is stored by Google. Google calls this ‘anonymizing’. The Dutch Data Protection Authority (AP) believes that the remaining part of the IPv4 address is still personal data. This is because IPv4 is a group of a maximum of 256 computers. But we find the removal of the last octet an important measure to reduce the risks for you visitors’ privacy.

You do this as follows:

  • Log in with your webmaster account
  • Go to ‘Account User Management’
  • Click on ‘Tracking Info’
  • Select the ‘Tracking Code’ option

You now see an example of a general site tag (gtag.js) that you can add to the <HEAD> – portion of each webpage you want to track.

  • Add the yellow option configuration option to this example as in the example below
  • Note: save a screenshot with the date / time of the moment you have this line added to the source code of your website, so that you can prove when you requested this privacy-friendly measure.

  1. Disable sharing data with Google

In the default settings of Google Analytics, boxes which confirm that you share data with Google for the following five purposes are checked:

  • Google products and services (improvement thereof)
  • Benchmarking (comparison of aggregated data with other websites)
  • Technical support
  • Account specialists (access for -)
  • Google sellers / sales experts (access for -)

If you do not change these default settings, you agree for Google to process your visitors’ data you’ve collected, for their own purposes. For example, for making benchmarks of the performance of comparable websites and for improvement of other Google products and services. As a result, Google no longer merely acts as your processor, but also as a data controller and therefore shares responsibility. In that case, you must request permission from visitors on behalf of Google for the processing of personal data with Analytics cookies.

To turn this off, do the following:

  • Log in with your webmaster account.
  • Choose ‘Administration’
  • Select ‘Account Settings’
  • Uncheck all 5 options
  1. Disable sharing data with Google for advertising purposes

If you have completed step 3, Google can still use data from your website visitors, namely for advertising purposes. You must disable this at another location. You do that as follows:

  • Log in with your webmaster account.
  • Go to ‘Account user Management’
  • Click on ‘Tracking Info’
  • Select the ‘Data Collection’ option
  • You now see two options that allows Google to use Google Analytics data for advertising purposes
  • If you also use a Google advertising product, these two options are checked
  • Uncheck these options so the box says: “OFF” and click ‘Save’

  1. Do not accidentally enable the User IDs feature

Google offers the possibility to link surfing behaviour of different devices and multiple sessions. This is only allowed with prior permission from users. Therefore, check that this setting is not accidentally enabled:

  • Log in with your webmaster account.
  • Go to ‘Account user Management’
  • Click on ‘Tracking Info’
  • Select the ‘User ID’ option

  1. Inform visitors about the use of analytics

You must inform your visitors about the use of Google Analytics, for example, through your privacy policy. In this information include:

  • The use Google Analytics cookies.
  • That you have entered into a data processing agreement with Google.
  • That you have masked the last octet of the IP address.
  • That you have switched off ‘data sharing’.

We also recommend offering your visitors an opt-out option from Google Analytics.

Google offers two different options for this:

  • You can add a component to your website that allows you to opt-out offer to your users. For an explanation, see:

https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out

  • Google also offers a browser extension for its own browser Chrome. However, this is no adequate solution for all visitors to your website.

Depending on a national law of your jurisdiction (such as, Law on Electronic Communications) you might have to add option of consent. In that case, Google Analytics cannot be switched on unless the visitor actively clicks consent.

  1. Asking visitor’s consent

In its ‘EU user consent policy’, Google explicitly states you “must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area along with the UK.“. If this policy is applicable to you and you fail to comply with it, Google may limit or suspend your use of the Google product and/or terminate your agreement. Therefore, before using Google products, make sure you fulfill your obligations you accepted by the mere fact of using those products, i.e. accepting Google’s terms of use.

Marija Bošković Batarelo, mag.iur

When you use Google Analytics, you process personal data of your website visitors with analytical cookies. Do you ask permission to place these analytical cookies on your visitors’ computers? If not, you can go through the 6 steps in this manual to set up Google Analytics to preserve privacy of your visitors. This is necessary to comply with the General Data Protection Regulation and e-Privacy Directive.

  1. Enter into a data processing agreement with Google

Pursuant to the Article 28 of the GDPR, you must conclude a processing agreement as the data controller with Google, since they are the data processor for the purposes determined by you. You can enter into this agreement through the settings menu from Google Analytics.

Do you already have a data processing agreement with Google since before December 2016? If yes, you will now see a request for accepting the amended agreement. This agreement contains a paragraph about the newly added possibilities for Analytics on a paid ‘Analytics 360’ service.

To accept the amended agreement, do the following:

  • Log in with your webmaster account
  • Choose ‘Admin’ section of the page
  • Select ‘Account Settings’
  • Scroll to the bottom of the page to the heading ‘Data Processing amendment’

  • Click on ‘Review Amendment’. You will now see a pop-up screen with the text of the data processing agreement.

  • After you review it, click on ‘Done’

  • Click on ‘Save’ to actually enter into the agreement. You now have a data processing agreement with Google.
  1. Don’t let Google process the full IP address (Anonymize IP)

IP4 IP addresses consist of 4 so-called 3-digit octets. Google offers the option to remove the last octet from the IP address of your website visitors. This is done in temporary memory, before the IP address is stored by Google. Google calls this ‘anonymizing’. The Dutch Data Protection Authority (AP) believes that the remaining part of the IPv4 address is still personal data. This is because IPv4 is a group of a maximum of 256 computers. But we find the removal of the last octet an important measure to reduce the risks for you visitors’ privacy.

You do this as follows:

  • Log in with your webmaster account
  • Go to ‘Account User Management’
  • Click on ‘Tracking Info’
  • Select the ‘Tracking Code’ option

You now see an example of a general site tag (gtag.js) that you can add to the <HEAD> – portion of each webpage you want to track.

  • Add the yellow option configuration option to this example as in the example below
  • Note: save a screenshot with the date / time of the moment you have this line added to the source code of your website, so that you can prove when you requested this privacy-friendly measure.

  1. Disable sharing data with Google

In the default settings of Google Analytics, boxes which confirm that you share data with Google for the following five purposes are checked:

  • Google products and services (improvement thereof)
  • Benchmarking (comparison of aggregated data with other websites)
  • Technical support
  • Account specialists (access for -)
  • Google sellers / sales experts (access for -)

If you do not change these default settings, you agree for Google to process your visitors’ data you’ve collected, for their own purposes. For example, for making benchmarks of the performance of comparable websites and for improvement of other Google products and services. As a result, Google no longer merely acts as your processor, but also as a data controller and therefore shares responsibility. In that case, you must request permission from visitors on behalf of Google for the processing of personal data with Analytics cookies.

To turn this off, do the following:

  • Log in with your webmaster account.
  • Choose ‘Administration’
  • Select ‘Account Settings’
  • Uncheck all 5 options
  1. Disable sharing data with Google for advertising purposes

If you have completed step 3, Google can still use data from your website visitors, namely for advertising purposes. You must disable this at another location. You do that as follows:

  • Log in with your webmaster account.
  • Go to ‘Account user Management’
  • Click on ‘Tracking Info’
  • Select the ‘Data Collection’ option
  • You now see two options that allows Google to use Google Analytics data for advertising purposes
  • If you also use a Google advertising product, these two options are checked
  • Uncheck these options so the box says: “OFF” and click ‘Save’

  1. Do not accidentally enable the User IDs feature

Google offers the possibility to link surfing behaviour of different devices and multiple sessions. This is only allowed with prior permission from users. Therefore, check that this setting is not accidentally enabled:

  • Log in with your webmaster account.
  • Go to ‘Account user Management’
  • Click on ‘Tracking Info’
  • Select the ‘User ID’ option

  1. Inform visitors about the use of analytics

You must inform your visitors about the use of Google Analytics, for example, through your privacy policy. In this information include:

  • The use Google Analytics cookies.
  • That you have entered into a data processing agreement with Google.
  • That you have masked the last octet of the IP address.
  • That you have switched off ‘data sharing’.

We also recommend offering your visitors an opt-out option from Google Analytics.

Google offers two different options for this:

  • You can add a component to your website that allows you to opt-out offer to your users. For an explanation, see:

https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out

  • Google also offers a browser extension for its own browser Chrome. However, this is no adequate solution for all visitors to your website.

Depending on a national law of your jurisdiction (such as, Law on Electronic Communications) you might have to add option of consent. In that case, Google Analytics cannot be switched on unless the visitor actively clicks consent.

  1. Asking visitor’s consent

In its ‘EU user consent policy’, Google explicitly states you “must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area along with the UK.“. If this policy is applicable to you and you fail to comply with it, Google may limit or suspend your use of the Google product and/or terminate your agreement. Therefore, before using Google products, make sure you fulfill your obligations you accepted by the mere fact of using those products, i.e. accepting Google’s terms of use.